Security News

An ongoing ZLoader malware campaign has been uncovered exploiting remote monitoring tools and Microsoft's digital signature verification to siphon user credentials and sensitive information. "The malware then exploits Microsoft's digital signature verification method to inject its payload into a signed system DLL to further evade the system's defenses."

The actors have set up a page that looks very close to Android's official Google Play app store to trick visitors into thinking they are installing the app from a trustworthy service. The malware pretends to be the official banking app for Itaú Unibanco and features the same icon as the legitimate app.

Threat actors now exploit the critical Apache Log4j vulnerability named Log4Shell to infect vulnerable devices with the notorious Dridex banking trojan or Meterpreter. The Dridex malware is a banking trojan originally developed to steal online banking credentials from victims.

Infection chains associated with the multi-purpose Qakbot malware have been broken down into "Distinct building blocks," an effort that Microsoft said will help to detect and block the threat in an effective manner proactively. The Microsoft 365 Defender Threat Intelligence Team dubbed Qakbot a "Customizable chameleon that adapts to suit the needs of the multiple threat actor groups that utilize it."

A new phishing campaign that targets German e-banking users has been underway in the last couple of weeks, involving QR codes in the credential-snatching process. If the embedded button is clicked, the victim arrives at the phishing site after passing through Google's feed proxy service 'FeedBurner.

The initial apps in Google Play were safe, but the creators found a way around the Play Store's protections to install malware on Android users' devices. A November report from ThreatFabric revealed that more than 300,000 Android users unknowingly downloaded malware with banking trojan capabilities, and that it bypassed the Google Play Store restrictions.

The BRATA Android remote access trojan has been spotted in Italy, with threat actors calling victims of SMS attacks to steal their online banking credentials. The Italian campaign was first spotted in June 2021, delivering multiple Android apps through SMS phishing, otherwise known as smishing.

Four different Android banking trojans were spread via the official Google Play Store between August and November 2021, resulting in more than 300,000 infections through various dropper apps that posed as seemingly harmless utility apps to take full control of the infected devices. While Google earlier this month instituted limitations to restrict the use of accessibility permissions that allow malicious apps to capture sensitive information from Android devices, operators of such apps are increasingly refining their tactics by other means even when forced to choose the more traditional way of installing apps through the app marketplace.

Malware campaigns distributing Android trojans that steals online bank credentials have infected almost 300,000 devices through malicious apps pushed via Google's Play Store. The Android banking trojans delivered onto compromised devices attempt to steal users' credentials when they log in to an online banking or cryptocurrency apps.

Overcoming Google Play app restrictions, attackers have successfully racked up more than 300,000 banking trojan installations over just the past four months in the official Android app marketplace. Researchers from Threat Fabric reported that these threat groups have honed their ability to use Google Play to propagate banking trojans by shrinking the footprint of their dropper apps, eliminating the number of permissions they ask for, boosting the overall quality of the attack with better code and standing up convincing companion websites.